Sunday, December 13

Fact: if the NSA were to detect the presence of a malicious worm or destructive virus on a U.S. Internet server targeted at a bank, perhaps stealing money from that bank, it could do nothing but warn the bank. The bank, most likely, does not have the capacity to deal with the worm itself; the NSA does not have the legal authority to employ methods to screen out the bad code, even though it has the technological capability. You can employ any type of thought of experiment you want here. Entities like utility companies and banks often rely on overtaxed communications networks to assess their performance; those communications networks are extraordinarily vulnerable because they rely on vulnerable machines -- machines that are old and were built with technology that, in many instances, originated elsewhere. The backbone of the Internet itself is very fragile; the VeriSign corporation, which essentially runs the Net, deals with thousands of attacks per day, some of them harmless, some of them dangerous, some of them from state actors (like China), others from well-funded and savvy techno-terrorists.

This is a tech problem and a law problem. Congress is trying to come up with ways to designate certain types of corporations that are responsible for large segments of some major activity -- power generation, money transferring, information sharing -- as, essentially, too big to fail -- or be shut down -- by cyber intruders. The idea, in essence, would be to require these entities to submit to a cyber audit. In the event of a major attack, the government (actually, the Department of Homeland Security, using NSA technology) would have the authority to quarantine the problem until it was removed. As you might imagine, this approach raises hackles with a lot of people. The corporations resist the idea of government intrusion. Their CFOs don't see the risk, so they're not interested in spending money to preemptively solve the problem. Civil libertarians properly ask about oversight; who's going to watch the watchers? Technologists wonder whether there aren't other ways to protect the nation's information grid from systemic threats.
(cont.)